Western Digital blames malware for My Book Live devices being wiped remotely
It's advising owners to disconnect the device from the internet for now.
June 25th, 2021
People who own and use a Western Digital My Book Live cloud storage device may want to disconnect it from the internet as soon as possible. As first reported by Bleeping Computer, a number of people worldwide who own the network-attached storage device took to the company's forum to report that all their files had been deleted. Terabytes' worth of data, years of memories and months of hard work vanished in an instant. The users couldn't even log into WD's cloud infrastructure for diagnosis, because their passwords were no longer working.
Several owners looked into the cause of the issue and determined that their devices were wiped after receiving a remote command for a factory reset. The commands starting going out at 3PM on Wednesday and lasted throughout the night. One user posted a copy of their log showing how a script was run to shut down their storage device for a factory restore:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script: The WD My Book Live devices connect to the internet via an Ethernet cable, and owners can use it to wirelessly back up their computers or to access their files from any device. It's a great solution for homes and businesses with multiple computers and phones that run different operating systems.
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
As Bleeping Computer notes, the storage solution communicates through the My Book Live cloud servers to provide remote access. It's an old model that hasn't been updated since 2015, but it's still protected by a firewall. Some of the affected owners expressed concerns that Western Digital's servers were hacked, allowing bad actors to send out a remote factory reset command to all devices connected to them.
However, Western Digital blames the incident on malware in a statement it issued to address the situation. The company said some My Book Live devices were compromised, though it didn't explain how bad actors were able to infiltrate them, and that owners should disconnect the storage solution from the internet for now.
The whole statement reads:
"Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers' data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available."